Critical cPanel & WHM Auth Bypass Actively Exploited – CVE-2026-41940

Critical cPanel & WHM Auth Bypass Actively Exploited - CVE-2026-41940 copy
You are here:

EXECUTIVE SUMMARY

A critical authentication bypass vulnerability (CVE-2026-41940) in cPanel and WHM is actively exploited in the wild. It allows unauthenticated attackers to manipulate session data and bypass login mechanisms, gaining root-level access without valid credentials. With public PoC and automated attacks observed, this poses a high risk to exposed systems. Immediate patching is strongly recommended.

  • CVE: CVE-2026-41940
  • CVSS: 9.8
  • Active Region: Global
  • Affected Sector: Web hosting providers, MSPs, enterprises using shared hosting
  • Affected Product: cPanel & WHM (v11.40+)
  • Severity: Critical
  • Published Date: April 29, 2026

TECHNICAL DETAILS

This vulnerability resides in the cPanel/WHM authentication pipeline, specifically in how the cpsrvd daemon handles session creation, storage, and validation across requests. The flaw enables attackers to manipulate pre-authentication session data and elevate privileges by abusing inconsistencies between raw session files and cached session state.

  • Target: cpsrvd service (core daemon handling authentication, session lifecycle, and WHM/cPanel request processing).
  • Root Cause: Improper session handling allows CRLF injection via unsanitized Basic Auth input, combined with weak input validation and a session encoding bypass when the value is missing. Inconsistent processing between raw session files and cache enables injected values to be trusted, and critical session flags are not revalidated, allowing authentication bypass.
  • Prerequisite for Exploitation: Network access to cPanel/WHM ports (2083/2087/2095/2096) and the ability to send crafted HTTP requests (Authorization + Cookie) to……

Download the Report

Date

Share

Previous Reports